IE, Firefox, Flash Fall at Pwn2Own, but Exploit Unicorn Still Lives

HP's ZDI awards $400,000 in prize money at Pwn2Own as new zero-day flaws are demonstrated in popular Web technologies.

Once again, the Pwn2Own event has proved that no matter how hard vendors try, vulnerabilities remain in popular Web browser technologies. On March 12, security researchers at the Pwn2Own security challenge found new zero-day flaws in Microsoft's Internet Explorer, Mozilla's Firefox, Adobe Flash and Adobe Reader technologies.

In total, Hewlett-Packard's Zero-Day Initiative (ZDI), which runs the Pwn2Own event, has awarded $400,000 in prize money to researchers for their discoveries. An additional $82,500 in prize money was donated by HP to the Canadian Red Cross for discoveries made by HP and Google as part of the Pwn4Fun component of the Pwn2Own event.

The Pwn4Fun event enabled HP and Google researchers to demonstrate new zero-day flaws.

"Researchers from HP’s Zero Day Initiative compromised Microsoft Internet Explorer 11 using a use-after-free vulnerability chained with a sandbox bypass technique," Brian Gorenc, manager of Vulnerability Research at the HP Zero-Day Initiative, told eWEEK.

Gorenc added that his group also disclosed six additional zero-day vulnerabilities in the Internet Explorer browser. HP donated $50,000 in prize money to the Canadian Red Cross for the IE discoveries. Google also found flaws in Web technologies at Pwn4Fun.

"A researcher from Google demonstrated vulnerabilities in Apple Safari, gaining a root compromise of the target," Gorenc said.

The Google compromise of Safari yielded a $32,500 donation to the Canadian Red Cross.


On the main Pwn2Own front, security research firm VUPEN once again is the big winner.

VUPEN has emerged in the last three years to become the dominant player in the Pwn2Own contest. In 2011, VUPEN researchers hacked Apple Safari in 5 seconds. In 2012, VUPEN hacked Google Chrome, making short work of that browser's security. In 2013, VUPEN successfully exploited Firefox, IE and Java.

At the 2014 event, VUPEN so far has earned $300,000 in prize money by successfully exploiting Firefox for $50,000, IE for $100,000, Adobe Reader for $75,000 and Adobe Flash for $75,000.

HP this year is awarding multiple prizes per browser category and has pledged to purchase all successful exploit attempts from the registered contestants.

"Firefox was a popular target for our researchers and was successfully exploited three times in the first day," Gorenc said. "All of the vulnerabilities affecting Firefox were unique, including a use-after-free, a privilege escalation, and an out-of-bounds read and write."

In addition to the VUPEN Firefox exploit, security researcher Mariusz Mlynski and researcher Juri Aedla were both able to exploit Firefox independently. For their efforts, Mlynski and Aedla were each awarded $50,000.

While HP has already awarded $400,000 in total prize money, the richest single prize at the Pwn2Own event still remains unclaimed. HP set up a special "Exploit Unicorn" category for 2014, which challenges researchers to exploit Internet Explorer 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running. The prize for successfully compromising the Exploit Unicorn is $150,000.

"Unfortunately, no one signed up for the Exploit Unicorn category, but we did have several researchers talking to us about it," Gorenc said. "We enjoy bringing challenging categories to the contest and will continually push the envelope when testing mitigation technologies."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.